Gelen James wrote:


Hi all,

Not sure whether it is bug or a feature, but when I evaluate the IPA net
groups, the 'external host' feature brings me some unexpected results.
I'll listed them below -- I am running IPA 2.1.3-9 on Redhat 6.2.

1, when I added a host into IPA netgroup in command line mode, 'ipa
netgroup-add-member <netgroup> --hosts=<client>'. When the host is not
yet installed/configured into an IPA client, it shows in 'external host'
category, in the output of 'ipa netgroup-find <netgroup>' command.
The 'external host' doesn't show up in the Web interface for IPA net
group. But it does show up when run 'ipa net group-find', or even
'getent <netgroup>' by sssd.

2, After the 'external host' is configured into an IPA client -- 'ipa
user-find <client> proves it' -- it is still reported as 'external host'
by command 'ipa netgroup-find', and still not show up in web interface
neither. Could this is a bug?

3, because of #2 above, when this machine is reconfigured, and removed
with 'ipa user-del <client>', it is show up in the containing netgroups
and nested netgroups, and has to be removed manually. :(

4, This could be a real bug: You can add an 'external host' with either
a host's bare name, or FQDN name. Then after the machine is installed,
and you would like to remove it from 'external host' category with
command 'ipa user-del <client>', it will remove the FQDN name entry
only! and leave the bare name there forever, until you delete the whole
containing netgroup!

[root@ipaclient02 ~]# ipa netgroup-find external-ng
-------------------
1 netgroups matched
-------------------
Netgroup name: external-ng
Description: netgroup for external hosts
NIS domain name: example.com
Member of netgroups: nest-external-ng
External host: dnsmaster.example.com, ipaclient02,
ipaclient02.mac.example.com

----------------------------
Number of entries returned 1
----------------------------

[root@ipaclient02 ~]# getent netgroup external-ng
external-ng (dnsmaster.example.com, -, example.com)
(ipaclient02.mac.example.com, -, example.com)

[root@ipaclient02 ~]# ipa netgroup-remove-member external-ng
--hosts=ipaclient02
Netgroup name: external-ng
Description: netgroup for external hosts
NIS domain name: example.com
Member of netgroups: nest-external-ng
External host: dnsmaster.example.com, ipaclient02
---------------------------
Number of members removed 1
---------------------------

[root@ipaclient02 ~]# ipa netgroup-remove-member external-ng
--hosts=ipaclient02
Netgroup name: external-ng
Description: netgroup for external hosts
NIS domain name: example.com
Member of netgroups: nest-external-ng
External host: dnsmaster.example.com, ipaclient02
Failed hosts/hostgroups:
member host: ipaclient02.example.com: This entry is not a member
---------------------------
Number of members removed 0
---------------------------
[root@ipaclient02 ~]#


An external host is one that is never expected to be added as a host in IPA, however we don't prevent it. There is no reconciliation done if an external host is added as an IPA host, as you've seen. If you'd like this please file an enhancement request at https://fedorahosted.org/freeipa/

In 3.0 we have added validation of external host names. Whether this will prevent a bare name or not I'm not sure. I don't know why we would care whether it was fully qualified or not, though yeah, it appears we are automatically adding the domain. I tested this in 2.2 and it worked as expected, a bare name was deletable.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to